Summary OWASP/crAPI provides a deliberately vulnerable microservices-based API designed for educational purposes. It targets developers, security professionals, and students seeking to understand and practice identifying the ten most critical API security risks in a safe, controlled environment. The project offers a hands-on learning experience to enhance API security awareness and skills.

How It Works crAPI is architected as a modern microservices application. Its core design principle is to be "vulnerable by design," intentionally incorporating common security flaws. This approach allows users to safely interact with the API, observe its weaknesses, and learn practical mitigation strategies without risking real-world systems. The application simulates a car buying journey, providing a relatable context for security challenges.

Quick Start & Requirements

• Primary Install: Deployment is primarily via Docker or Vagrant.
  • Docker: Requires Docker and docker compose (v1.27.0+). Users download a zip archive, navigate to deploy/docker, pull prebuilt images (docker compose pull), and run the services (docker compose up -d). Configuration can be overridden via .env file or command-line variables.
  • Vagrant: Requires Vagrant and a virtualization provider (e.g., VirtualBox). Users clone the repository, navigate to deploy/vagrant, and run vagrant up.
• Prerequisites: Docker, docker compose (v1.27.0+), Vagrant, VirtualBox (for Vagrant option).
• Access: The API is accessible at http://localhost:8888 (Docker) or http://192.168.33.20 (Vagrant). An integrated Mailhog service for email checks is available at http://localhost:8025 or http://192.168.33.20:8025.
• Links: Documentation and setup details are referred to via "setup instructions," "challenges," and a "Troubleshooting guide."

Highlighted Details

• Focuses on educating users about the "ten most critical API security risks."
• Employs a modern microservices architecture for realistic simulation.
• Intentionally vulnerable design facilitates hands-on security training.

Maintenance & Community The project encourages users to report issues by creating tickets in the Github Issues section. No specific community channels (e.g., Discord, Slack) or details on core contributors/sponsorships are provided in the README.

Licensing & Compatibility Licensing information is not provided in the README. This omission requires further investigation for commercial use or integration into closed-source projects.

Limitations & Caveats crAPI is explicitly designed to be vulnerable, making it unsuitable for production environments. Its primary purpose is educational, and users should be aware that its security posture is intentionally compromised to demonstrate attack vectors.